Bump…

Hmm. No local DNS resolution, but no routes to the Internet either. Frustrating.

Their analysis was better than mine but reached the same conclusion. There's no way to exploit it via OpenVPN.

It's still difficult to exploit even using other methods.

http://it.slashdot.org/story/14/06/28/1949243/are-the-hard-to-exploit-bugs-in-lzo-compression-algorithm-just-hype

Apparently the lag was due to packet loss on the servers wan adapter.

The stupid part is that server has 2 WAN's. DSL and cable. The OpenVPN server is setup to use the CLUSTER (combined) adapter. My client is setup to connect on either IP address. For some reason the load balancing wouldn't kill the cable connection with the heavy packet loss. Even though in the gateways have settings of 1 and 3 in the packet loss threshold with a down of 4.

Any idea why the cable connection would not boot itself from the load balancing cluster? :/

@jimp:

Any CARP VIPs? IP aliases on CARP VIPs?

hi Jimp,
i think is something with the installed certificate or with previous installation of Pfsense.
i tried the same profile on a different computer a never installed Openvpn and it works.
is there is away to clean all installed certificate of Pfsense ? and all other trach ?

i fixed the problem,
for people with the same problem,
go to cert manager on your windows and delete the openvpn certificate,
remove openvpn and install it again

Sorry, solved.

Enter any additional options you would like to add for this client specific override, separated by a semicolon EXAMPLE: push "route 10.0.0.0 255.255.255.0";

Ok will do. thanks for that.

@heper:

you probably did something wrong in generating the certs. (no clue what)

just start from scratch and try again with new a CA
generate the servercert&usercert from the newly created CA.

should be fine

Alright, will do. Thanks.

Please don't hijack unrelated posts, split this into its own thread.

I don't know if this is a perfect solution but it works.  This will help with Netflix but not with torrent traffic.

After setting up the VPN to work, create this firewall rule and leave it on top.

set to: Pass
Interface: LAN
Source:  Local ip address of what is using netflix
Destination: any
Gateway: your vpn

This will make  only that device send all of its traffic through the vpn.  Remember you have to give it a static ip address in status-> dhcp leases  .  To prevent the rest of your network from being on that vpn, you have to set a kill switch rule under that.  I think this will work.

set to: Block
Interface: LAN
Source:  LAN Address    <–-( exact words by the way)
Destination: any
Gateway: your vpn

@chemlud:

Is snort involved  on your pfSense? I would wireshark the LAN side, to see what's going on between the laptop and the pfSense box… :)

You got me on the right track,, thanks.

No I dont have snort on the fw….but...

I hade a D-link switched called DGS-1210-16 with a Security option enabled.

The switch itself can protect from:

Land Attack
Blat Attack
TCP Null Scan
TCP Xmascan
TCP SYNFIN
TCP SYN Src Port Less 1024
Ping Death Attack
TCP Tiny Frag Attack

And the problem was the Blat Attack rule, if I disabled it on the Switch then the OpenVPN connection worked perfect.

Thanks to all that tried to help.